/**
 * @license
 * Copyright 2025 Vybestack LLC
 * SPDX-License-Identifier: Apache-2.0
 */
import { type CodexOAuthToken } from './types.js';
/**
 * Codex OAuth PKCE flow implementation
 * Implements OAuth 2.0 Authorization Code flow with PKCE for Codex authentication
 */
export declare class CodexDeviceFlow {
    private logger;
    private codeVerifiers;
    constructor();
    /**
     * Build authorization URL for browser-based OAuth flow
     * @param redirectUri Callback URL for OAuth redirect
     * @param state Random state parameter for CSRF protection
     * @returns Authorization URL to open in browser
     */
    buildAuthorizationUrl(redirectUri: string, state: string): string;
    /**
     * Exchange authorization code for OAuth tokens
     * @param authCode Authorization code from OAuth callback
     * @param redirectUri Callback URL (must match the one used in authorization request)
     * @param state State parameter from OAuth callback
     * @returns Validated CodexOAuthToken with account_id
     * @throws Error if code verifier not found for state or token exchange fails
     */
    exchangeCodeForToken(authCode: string, redirectUri: string, state: string): Promise<CodexOAuthToken>;
    /**
     * Refresh an expired access token using refresh token
     * @param refreshToken Valid refresh token
     * @returns New CodexOAuthToken with updated expiry
     * @throws Error if refresh fails or id_token missing
     */
    refreshToken(refreshToken: string): Promise<CodexOAuthToken>;
    /**
     * Extract account_id from id_token JWT without external libraries
     * JWT format: header.payload.signature (base64url encoded)
     * @param idToken JWT id_token from OAuth response
     * @returns account_id extracted from JWT claims
     * @throws Error if JWT format invalid or account_id not found
     */
    private extractAccountIdFromIdToken;
    /**
     * Helper to throw error when id_token is missing
     * @throws Error indicating id_token required
     */
    private throwMissingAccountId;
    /**
     * Request a user code for device authorization flow (browserless authentication)
     * @returns Device code response with user_code and device_auth_id
     */
    requestDeviceCode(): Promise<{
        device_auth_id: string;
        user_code: string;
        interval: number;
    }>;
    /**
     * Poll for token using device authorization
     * @param deviceAuthId Device authorization ID
     * @param userCode User code from device flow
     * @param intervalSeconds Polling interval in seconds
     * @returns Authorization code and PKCE codes for token exchange
     */
    pollForDeviceToken(deviceAuthId: string, userCode: string, intervalSeconds?: number): Promise<{
        authorization_code: string;
        code_verifier: string;
        code_challenge: string;
    }>;
    /**
     * Complete device authorization flow by exchanging authorization code for tokens
     * @param authorizationCode Authorization code from polling response
     * @param codeVerifier PKCE code verifier from polling response
     * @param redirectUri OAuth redirect URI
     * @returns Complete OAuth token with access_token, refresh_token, etc.
     */
    completeDeviceAuth(authorizationCode: string, codeVerifier: string, redirectUri: string): Promise<CodexOAuthToken>;
    /**
     * Generate PKCE code verifier and challenge
     * @returns Object containing verifier and challenge strings
     */
    private generatePKCE;
}